RFC 2865 says:
Call the shared secret S and the pseudo-random 128-bit Request
Authenticator RA. Break the password into 16-octet chunks p1, p2,
etc. with the last one padded at the end with nulls to a 16-octet
boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need
intermediate values b1, b2, etc.
b1 = MD5(S + RA) c(1) = p1 xor b1
b2 = MD5(S + c(1)) c(2) = p2 xor b2
. .
. .
. .
bi = MD5(S + c(i-1)) c(i) = pi xor bi
The String will contain c(1)+c(2)+...+c(i) where + denotes
concatenation.
However when calculating b2, b3, b4, etc. Secret+P1, Secret+P2, Secret+P3, etc is used, when it should have been c(1), c(2), c(3), etc.
This means that passwords longer than 16bytes will be calculated wrong and will not work.
Attached is patch that fixes the problem..
Hope this help you (or someone else)
Cheers
Esben